An endeavor aimed at overtaking the OpenJS Foundation has been unearthed by security analysts, exhibiting resemblances to a recent discovery concerning the open-source XZ Utils project.
In a joint notification, the OpenJS Foundation and the Open Source Security Foundation (OpenSSF) disclosed that the OpenJS Foundation Cross Project Council had received a sequence of dubious emails, each carrying akin messages but under varied identities and associated GitHub emails.
Robin Bender Ginn, the executive director of OpenJS Foundation, and Omkhar Arasaratnam, the general manager at OpenSSF, remarked on the contents of these emails, which pressed for immediate action from OpenJS to address critical vulnerabilities within one of its prominent JavaScript endeavors, albeit without specifying the concerns.
Furthermore, the email sender(s) insisted on being appointed as the new caretaker of the project, despite lacking substantial prior involvement. This pattern of activity also extended to two other well-known JavaScript initiatives not under the OpenJS umbrella.
However, no privileged access was granted to any of these individuals regarding the project hosted by OpenJS.
This incident underscores the method employed to target the lone maintainer of XZ Utils through fictitious personas, crafted seemingly for the purpose of a social engineering and pressure strategy to elevate Jia Tan (also known as JiaT75) to a co-caretaker position within the project.
The possibility arises that the subversion of XZ Utils might not be an isolated occurrence but rather part of a wider scheme aimed at compromising the security of numerous projects, as suggested by the two open source entities, who refrained from divulging the names of the JavaScript initiatives involved.
As it currently stands, Jia Tan exhibits no digital footprint beyond their contributions, indicating that the account may have been fabricated solely to garner credibility within the open-source development community over an extended period and eventually introduce a covert access point into XZ Utils.
This scenario underscores the level of sophistication and patience employed in orchestrating the campaign, which targeted an open-source project run by volunteers and utilized across various Linux distributions, thereby exposing organizations and users to potential supply chain threats.
Moreover, the incident involving the XZ Utils backdoor highlights the “fragility” of the open-source ecosystem and the hazards posed by maintainer fatigue, as emphasized by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a recent statement.
CISA officials Jack Cable and Aeva Black stressed that the responsibility for security should not rest solely on the shoulders of individual open-source maintainers, as was unfortunately the case in this instance, leading to nearly catastrophic consequences.
They urge all technology manufacturers benefiting from open source software to fulfill their obligations by actively engaging with and supporting maintainers in conducting periodic source code audits, mitigating entire categories of vulnerabilities, and implementing robust secure-by-design principles.
According to Bender Ginn and Arasaratnam, these social engineering ploys exploit maintainers’ sense of duty to their projects and communities, manipulating them into actions detrimental to their interests.
They advise vigilance in monitoring one’s emotional responses to interactions, cautioning against feelings of self-doubt, inadequacy, or undue pressure, which may signal the onset of a social engineering scheme.
